lack of builtin range checking of id fields
|Reported by:||anonymous||Owned by:||glassresistor|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The lack of builtin range checking for id fields is a vulnerability.
/service/docserver/papers/3/ --> produces a document /service/docserver/papers/6578/ --> produces 404 page /service/docserver/papers/9999999999999999999/ --> throws OverflowError
Traceback is at http://paste.pocoo.org/show/218865/
I think the last case should throw DoesNotExist instead of causing server error.
In the case at hand I used generic views and sqlite3 DB backend.
Of course, one can check this himself all over the places, however that would be against the DRY principle.
Not to mention, it would be complicated when using generic views.
Change History (4)
comment:1 Changed 5 years ago by gregmuellegger
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 in reply to: ↑ 2 ; follow-up: ↓ 4 Changed 5 years ago by glassresistor
- Component changed from Database layer (models, ORM) to Documentation
- Owner changed from nobody to glassresistor